[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

comp.lang.c

Re: Arithmetic overflow checking

thomas.mertes

7/10/2011 8:47:00 AM

On 8 Jul., 05:04, Patricia Shanahan <p...@acm.org> wrote:
> On 7/7/2011 5:51 PM, Peter Duniho wrote:
> ...
>
> > I would not worry about the "simple" or "efficient" criteria. IMHO, if
> > one is deciding to apply overflow checking to every computation, one has
> > already abandoned the hope of efficiency.
>
> Not necessarily. I assumed a couple of decades ago that array index
> checking would be impossibly inefficient, but it seems to work fine in
> Java.

And in other languages, like Pascal, Ada and Seed7, as well.

> I suspect that having integer range types would be a major help.
> When I'm working out whether an int can overflow, I often think in terms
> of the ranges of inputs to calculations. A compiler would be able to
> tell that adding a digit to a digit always fits in the range [0,18].

I think there are two things:

1. range checks (like value fits in [0,18]).
2. check if an 32-bit (or 8-bit, 16-bit, 64-bit, ...)
computation overflows.

In the 1. case a compiler could generate code that does
the computation and checks the range afterwards.
In the 2. case a computation could result in wrong data,
because the overflow was silently ignored. In this case
either some checks must be done before the computation or
the overfow condition is recognized during or after the
computation. In an ideal world the hardware would do this.

A CPU could (in theory) easily recognize the overflow
and generate an interrupt. This way normal computations
(without overflow) would have no extra cost. AFAIK
commonly used CPUs do not have this possibility. They
have some FLAG, which is set when an overflow occurred.
But there is no possibility to cause an interrupt, when
the overflow FLAG is set. So code, which checks for
overflow, must check this flag after every computation.
Needless to say: Normal computations (without overflow)
are slowed down by this checks.

Because of this slow down most compilers and virtual
machines (AFAIK inluding the JVM) have no overflow
checking.

In other words: A missing hardware feature:

Trigger interupt when overflow flag is set.

Causes compilers and JVMs to omit overflow checks.


Greetings Thomas Mertes

--
Seed7 Homepage: http://seed7.sourc...
Seed7 - The extensible programming language: User defined statements
and operators, abstract data types, templates without special
syntax, OO with interfaces and multiple dispatch, statically typed,
interpreted or compiled, portable, runs under linux/unix/windows.
103 Answers

China Blue Veins

7/10/2011 9:47:00 AM

0

In article <3797038f-22d1-40b2-8c12-60db5a0976b8@t5g2000yqj.googlegroups.com>,
tm <thomas.mertes@gmx.at> wrote:

> On 8 Jul., 05:04, Patricia Shanahan <p...@acm.org> wrote:
> > On 7/7/2011 5:51 PM, Peter Duniho wrote:
> > ...
> >
> > > I would not worry about the "simple" or "efficient" criteria. IMHO, if
> > > one is deciding to apply overflow checking to every computation, one has
> > > already abandoned the hope of efficiency.
> >
> > Not necessarily. I assumed a couple of decades ago that array index
> > checking would be impossibly inefficient, but it seems to work fine in
> > Java.
>
> And in other languages, like Pascal, Ada and Seed7, as well.

In C the array size is not part of the type or value, so there is nothing to
check. Addressing an array outside its allocation is undefined in general, but
an implementation can define it anyway.

> 2. check if an 32-bit (or 8-bit, 16-bit, 64-bit, ...)
> computation overflows.

C integer arithmetic is always modulo M, for some large M (like 2**32 or 2**64).
So the concept of overflow does not apply.

> Trigger interupt when overflow flag is set.

Not all CPUs detect integer arithmetic overflow. Not all CPUs signal integer
arithmetic problems.

--
I remember finding out about you, |A free Thai dyed shirt in every box.
Everyday my mind is all around you,| I'm whoever you want me to be.
Looking out from my lonely room | Annoying Usenet one post at a time.
Day after day. | At least I can stay in character.

pete

7/10/2011 10:04:00 AM

0

China Blue Dolls wrote:

> In C the array size is not part of the type or value,
> so there is nothing to check.

In C,
the size of an array is part of the type of the array.

--
pete

China Blue Veins

7/10/2011 10:29:00 AM

0

In article <4E19791F.3E45@mindspring.com>, pete <pfiland@mindspring.com> wrote:

> China Blue Dolls wrote:
>
> > In C the array size is not part of the type or value,
> > so there is nothing to check.
>
> In C,
> the size of an array is part of the type of the array.

extern char s[];

--
I remember finding out about you, |A free Thai dyed shirt in every box.
Everyday my mind is all around you,| I'm whoever you want me to be.
Looking out from my lonely room | Annoying Usenet one post at a time.
Day after day. | At least I can stay in character.

thomas.mertes

7/10/2011 11:44:00 AM

0

On 10 Jul., 11:47, China Blue Dolls <chine.b...@yahoo.com> wrote:
> In article <3797038f-22d1-40b2-8c12-60db5a097...@t5g2000yqj.googlegroups.com>,
>
>  tm <thomas.mer...@gmx.at> wrote:
> > On 8 Jul., 05:04, Patricia Shanahan <p...@acm.org> wrote:
> > > On 7/7/2011 5:51 PM, Peter Duniho wrote:
> > > ...
>
> > > > I would not worry about the "simple" or "efficient" criteria. IMHO, if
> > > > one is deciding to apply overflow checking to every computation, one has
> > > > already abandoned the hope of efficiency.
>
> > > Not necessarily. I assumed a couple of decades ago that array index
> > > checking would be impossibly inefficient, but it seems to work fine in
> > > Java.
>
> >   2. check if an 32-bit (or 8-bit, 16-bit, 64-bit, ...)
> >      computation overflows.
>
> C integer arithmetic is always modulo M, for some large M (like 2**32 or 2**64).
> So the concept of overflow does not apply.
>
> >   Trigger interupt when overflow flag is set.
>
> Not all CPUs detect integer arithmetic overflow. Not all CPUs signal integer
> arithmetic problems.

And popular CPUs, which do detect integer overflow, do not
trigger an interupt. This makes zero overhead overflow
detection impossible.

So software suffers because hardware / CPU designers want
to save a transistor...


Greetings Thomas Mertes

--
Seed7 Homepage: http://seed7.sourc...
Seed7 - The extensible programming language: User defined statements
and operators, abstract data types, templates without special
syntax, OO with interfaces and multiple dispatch, statically typed,
interpreted or compiled, portable, runs under linux/unix/windows.

Eric Sosman

7/10/2011 1:29:00 PM

0

On 7/10/2011 5:47 AM, China Blue Dolls wrote:
>
> In C the array size is not part of the type or value, so there is nothing to
> check.

No; the size (element count) is part of an array's type. Your
compiler will confirm this for you by issuing a diagnostic for

char matrix[5][7]; /* five char[7] arrays */
char (*nine)[9]; /* pointer to char[9] */
nine = matrix; /* point it at the first char[7] */

> C integer arithmetic is always modulo M, for some large M (like 2**32 or 2**64).
> So the concept of overflow does not apply.

This is true only for `unsigned' integer arithmetic. Signed
integer arithmetic is in fact vulnerable to overflow.

--
Eric Sosman
esosman@ieee-dot-org.invalid

Malcolm McLean

7/10/2011 1:52:00 PM

0

On Jul 10, 4:28 pm, Eric Sosman <esos...@ieee-dot-org.invalid> wrote:
>
>      This is true only for `unsigned' integer arithmetic.  Signed
> integer arithmetic is in fact vulnerable to overflow.
>
All arithmetic is vulnerable to overflow. The question is whether the
system reports and error or gives wrong results. Sometimes wrong
results are better than errors, for instance in video games, but only
rarely.
--
Learn all about MPI
Tutorial on my website: http://www.malcolmmclean.site...

robertwessel2@yahoo.com

7/10/2011 3:48:00 PM

0

On Sun, 10 Jul 2011 01:47:25 -0700 (PDT), tm <thomas.mertes@gmx.at>
wrote:

>On 8 Jul., 05:04, Patricia Shanahan <p...@acm.org> wrote:
>> On 7/7/2011 5:51 PM, Peter Duniho wrote:
>> ...
>>
>> > I would not worry about the "simple" or "efficient" criteria. IMHO, if
>> > one is deciding to apply overflow checking to every computation, one has
>> > already abandoned the hope of efficiency.
>>
>> Not necessarily. I assumed a couple of decades ago that array index
>> checking would be impossibly inefficient, but it seems to work fine in
>> Java.
>
>And in other languages, like Pascal, Ada and Seed7, as well.


A good compiler can often limit the number of time array bounds checks
to much less than every access. For example, a sequence of uses of
the same index value obvious only needs the index checked once, or a
loop with bounds that don't change during the loop can often move the
check ahead of the loop.


>> I suspect that having integer range types would be a major help.
>> When I'm working out whether an int can overflow, I often think in terms
>> of the ranges of inputs to calculations. A compiler would be able to
>> tell that adding a digit to a digit always fits in the range [0,18].
>
>I think there are two things:
>
> 1. range checks (like value fits in [0,18]).
> 2. check if an 32-bit (or 8-bit, 16-bit, 64-bit, ...)
> computation overflows.
>
>In the 1. case a compiler could generate code that does
>the computation and checks the range afterwards.
>In the 2. case a computation could result in wrong data,
>because the overflow was silently ignored. In this case
>either some checks must be done before the computation or
>the overfow condition is recognized during or after the
>computation. In an ideal world the hardware would do this.
>
>A CPU could (in theory) easily recognize the overflow
>and generate an interrupt. This way normal computations
>(without overflow) would have no extra cost. AFAIK
>commonly used CPUs do not have this possibility. They
>have some FLAG, which is set when an overflow occurred.
>But there is no possibility to cause an interrupt, when
>the overflow FLAG is set. So code, which checks for
>overflow, must check this flag after every computation.
>Needless to say: Normal computations (without overflow)
>are slowed down by this checks.
>
>Because of this slow down most compilers and virtual
>machines (AFAIK inluding the JVM) have no overflow
>checking.
>
>In other words: A missing hardware feature:
>
> Trigger interupt when overflow flag is set.
>
>Causes compilers and JVMs to omit overflow checks.


S/360 and its descendents have such a feature (for both binary and
decimal arithmetic), which can be enabled by applications by setting a
bit in the PSW. Nobody uses it. It doesn't do quite everything (for
example, the multiply instruction produces double width results, and
doesn't ever overflow, but you obviously have an issue if you're going
to store that result back in a single width variable). It also messes
up enough code, that what you'd really want is a separate set of
instruction that did or didn't trap on overflow (S/360 already has a
number of separate signed and unsigned binary arithmetic instructions,
the unsigned ones don't trap on "overflow").

In a similar vein, SNaNs are only rarely actually set to trap, even
though a lot of hardware that support IEEE math does support doing
that.

Joshua Cranmer

7/10/2011 4:25:00 PM

0

On 07/10/2011 05:47 AM, China Blue Dolls wrote:
> In article<3797038f-22d1-40b2-8c12-60db5a0976b8@t5g2000yqj.googlegroups.com>,
>> 2. check if an 32-bit (or 8-bit, 16-bit, 64-bit, ...)
>> computation overflows.
>
> C integer arithmetic is always modulo M, for some large M (like 2**32 or 2**64).
> So the concept of overflow does not apply.

That is only true for unsigned integers; signed integer overflow is
undefined.

--
Beware of bugs in the above code; I have only proved it correct, not
tried it. -- Donald E. Knuth

Phil Carmody

7/10/2011 5:52:00 PM

0

China Blue Dolls <chine.bleu@yahoo.com> writes:
> In article <4E19791F.3E45@mindspring.com>, pete <pfiland@mindspring.com> wrote:
> > China Blue Dolls wrote:
> >
> > > In C the array size is not part of the type or value,
> > > so there is nothing to check.
> >
> > In C,
> > the size of an array is part of the type of the array.

One might even say that array types are characterized by their
element type and by the number of elements in the array.

> extern char s[];

That's not an array, that's a promise that somewhere else there's
an array.

Phil
--
"At least you know where you are with Microsoft."
"True. I just wish I'd brought a paddle." -- Matthew Vernon

Keith Thompson

7/10/2011 9:47:00 PM

0

Malcolm McLean <malcolm.mclean5@btinternet.com> writes:
> On Jul 10, 4:28 pm, Eric Sosman <esos...@ieee-dot-org.invalid> wrote:
>>      This is true only for `unsigned' integer arithmetic.  Signed
>> integer arithmetic is in fact vulnerable to overflow.
>>
> All arithmetic is vulnerable to overflow. The question is whether the
> system reports and error or gives wrong results. Sometimes wrong
> results are better than errors, for instance in video games, but only
> rarely.

All arithmetic that's intended to model (a subset of) the real
numbers with the usual mathematical operations is vulnerable to
overflow. (Even arbitrary-precision packages can run out of memory.)

But C unsigned arithmetic, for example *doesn't* model normal real
arithmetic; it models arithmetic modulo 2**N and is not vulnerable
to overflow. (Wraparound is not overflow; it yields the correct
wrapped result.)

--
Keith Thompson (The_Other_Keith) kst-u@mib.org <http://www.ghoti.ne...
Nokia
"We must do something. This is something. Therefore, we must do this."
-- Antony Jay and Jonathan Lynn, "Yes Minister"